Dear list, I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet. Example - a concept of machine ownership, or device class for local scripts or puppet to know about. The two ways I've thought of so far entail - having the CLI tools installed to run IPA commands, or - kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts I'm interested in. It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use. Any ideas or suggestion around this so I don't reinvent the wheel?

Thank you, that's a great help. One follow up question. Is there some way of cajoling ipa host-show into only displaying specific fields? Or is it better just to use ldapsearch with a suitable search filter (given both need to use the host or a service keytab if this is to be run by puppet).

The fields I'm interested in (descriptions, platform, OS, Class) are thankfully available (at least using the host principal).

Kind regards, David On 14 May 2018 at 14:14, Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote: > On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote: > >> Dear list, >> >> I'm currently tinkering with adding host attributes (As custom attrs, or >> for the moment into the description field). My intention is to then read >> these from the host in order to define some local behaviour for scripts or >> puppet. >> >> Example - a concept of machine ownership, or device class for local >> scripts >> or puppet to know about. >> >> The two ways I've thought of so far entail >> >> - having the CLI tools installed to run IPA commands, or >> - kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts >> I'm interested in. >> >> It occurred to me that sssd or some other components I understand less >> well >> might already be able to trivially read the host data IPA holds, or that >> the kinit might not be needed given the machine can already read out >> getent >> aprts direct from LDAP/IPA values with a non network account in use. >> >> Any ideas or suggestion around this so I don't reinvent the wheel? >> > While SSSD can be taught to read user-specific attributes by adding them > in the configuration, the same cannot be done for host-specific > attributes. So you are back to those two methods you outline above. > > One note is that you'd need to add permissions to be able to read the > attributes we don't explicitly allow for services/host principals. See > https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for > details on how to achieve that. For plugin examples look at my > github.com/abbra/ page for freeipa-* plugin repos. > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland >